Profile Applicability:

  • Level 2

Description:

It is recommended to enable uniform bucket-level access on Cloud Storage buckets to standardize and simplify access permissions. This ensures access is managed only through Cloud Identity and Access Management (Cloud IAM) and not through Access Control Lists (ACLs).

Rationale:

Cloud Storage allows permissions to be granted through either Cloud IAM or ACLs. With uniform bucket-level access enabled, ACLs are disabled, and access to all Cloud Storage resources is managed solely through Cloud IAM. This provides a consistent and simplified permission model, ensuring that if a bucket is not publicly accessible, its contents are also secured.

Enabling uniform bucket-level access eliminates potential inconsistencies between IAM and ACL permissions, reducing the risk of unintentional exposure of sensitive data. It ensures that access is applied uniformly across all objects within the bucket.

Impact:

  • Users relying solely on object ACLs for access will lose permissions when uniform bucket-level access is enabled.

  • Some Google Cloud services, such as Stackdriver, Cloud Audit Logs, and Datastore, may not support exporting to buckets with uniform bucket-level access enabled.

Default Value:

By default, Cloud Storage buckets are configured with fine-grained access control and do not have uniform bucket-level access enabled.

Audit Steps:

From Google Cloud Console:

  1. Navigate to the Cloud Storage Browser.

                             

  1. Verify the Access control column for each bucket. It should display the value Uniform.

                       

From Google Cloud CLI:

List all buckets in the project:

gsutil ls

Check if uniform bucket-level access is enabled for each bucket:

gsutil uniformbucketlevelaccess get gs://BUCKET_NAME/

If uniform bucket-level access is enabled, the response will include:

Uniform bucket-level access setting for gs://BUCKET_NAME/:
Enabled: True
LockedTime: LOCK_DATE

Remediation Steps:

From Google Cloud Console:

  1. Navigate to the Cloud Storage Browser.

           

  1. Click on the desired bucket name to open its details.

         

  1. Go to the Permissions tab.

         

  1. Click Edit in the section that mentions fine-grained access control.

                 

  1. In the pop-up, select Uniform and click Save.

       

From Google Cloud CLI:

Enable uniform bucket-level access for a bucket:

gsutil uniformbucketlevelaccess set on gs://BUCKET_NAME/

Prevention:

To enforce uniform bucket-level access for all new buckets, configure an Organization Policy:

Backout Plan:

  1. Revert to ACL-based Access: If UBLA was enabled mistakenly or needs to be reverted, you can disable it using the following command:
              gsutil uniformbucketlevelaccess set off gs://[BUCKET_NAME]

  2.  Review Bucket Permissions: Ensure that all required ACLs and IAM roles are configured correctly after reverting UBLA.
  3. Verify Access: Confirm that all necessary users and applications still have the required access after the rollback.
  4. Notify Stakeholders: Inform stakeholders of the rollback and explain the reason for reverting the change.

References:

  1. Uniform Bucket-Level Access Documentation

  2. Using Uniform Bucket-Level Access

  3. Setting Organization Policies for Uniform Bucket-Level Access

Additional Information:

  • Once uniform bucket-level access has been enabled for 90 consecutive days, it cannot be disabled.

  • Organizations should migrate permissions from ACLs to IAM policies before enabling uniform bucket-level access to avoid disruptions.

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

3.3 Configure Data Access Control Lists

Set access control lists based on the principle of least privilege for secure access.

14.6 Protect Information Through Access Control Lists

Secure sensitive data using standardized access controls for all systems and resources.